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(57) Providing access to a mobile user session in a 
manner that more closely corresponds access to net- 
work resources to the trustworthiness of authentication 
methods and devices associated with the mobile user 
session. Characteristics of authentication methods as- 
sociated with a mobile user session are synthesized to 
generate an authentication bundle. Characteristics may 
include data associated with passwords, biometric data 
or devices used to execute an authentication method. 



By synthesizing characteristics in varied manners, a 
non-binary sliding scale of access to network resources 
may be generated. An authentication bundle may be ac- 
cessed to grant a mobile user session appropriate ac- 
cess to network resources. Granting access may in- 
clude generating an authorization token that is passed 
to a filter or reverse proxy Access to network resources 
may be dynamically modified as authentication methods 
associated with a mobile user session change. 
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Description 

BACKGROUND OF THE INVENTION 

1 . The Field of the Invention 5 

[0001 ] The present invention relates to network secu- 
rity. More specifically, the present invention relates to 
systems, methods, and computer program products for 
granting and dynamically modifying access to network 10 
resources where access may correspond to the trust- 
worthiness of authentication methods and devices as- 
sociated with a user session. 

2. Background and Relevant Art *5 

[0002] Today it is very difficult, if not impossible, for 
network administrators to give mobile users appropriate 
access to network resources. Conventional methods for 
granting access to network resources are binary for the 20 
most part. That is, either a user is "logged on," and may 
access network resources or the user is "logged off," 
and cannot access network resources. This binary ap- 
proach is followed even though the use of different de- 
vices and different authentication methods results in dif- 25 
ferent levels of trustworthiness. 

[0003] For example, by entering a dual tone multi-fre- 
quency ("DTMF") personal identification number ("PIN") 
from a pay phone, a user may be granted the same ac- 
cess to network resources as compared to entering a 30 
password at a computer directly coupled to a corporate 
intranet. Entering a password from a computer directly 
coupled to a corporate intranet may be considered more 
secure than entering a DTMF PIN from a pay phone. Yet 
both authentication methods may result in the same ac- 35 
cess to network resources. Binary approaches are often 
problematic for mobile user sessions due to the wide 
variety of devices and corresponding authentication 
methods used in a mobile environment. 
[0004] In some cases, network managers may imple- 40 
ment secondary domains, secondary user accounts, 
and various other means to try to give appropriate ac- 
cess to mobile users. For example, a user may have a 
local user account and a mobile user account. The local 
user account may be configured to operate only on trust- 45 
ed computing devices. This allows different access 
rights to be assigned to users depending on their loca- 
tion. Thus, a local user account may be given more ac- 
cess to network resources than a mobile user account. 
However, this is still a binary approach, as any conven- 50 
tional access method would grant the mobile user ac- 
count the same access to network resources. For ex- 
ample, a mobile user calling from a pay phone that logs 
on using a DTMF PIN and a mobile user calling from a 
secure mobile phone, who speaks a complex challenge 55 
response password may both receive the same access 
to network resources. In other words, when a mobile us- 
er account is granted access to network resources, no 



consideration is given to the trustworthiness of authen- 
tication methods or devices. Furthermore, this method 
requires additional effort to establish and maintain the 
mobile user account. 

[0005] Another approach is to assign certain mobile 
access methods as trustworthy. For example, a network 
may be configured to allow mobile access from a secure 
caller line ID or for users who are voiceprinted. However, 
this approach also results in binary access to network 
resources and does not consider the trustworthiness of 
methods or devices associated with the mobile user 
session. For example, a mobile user voiceprinted from 
a public telephone or a secure mobile phone may re- 
ceive the same access, while a mobile user requesting 
access via any non -trusted access method is complete- 
ly denied access to network resources. This approach 
is often ineffective due to environmental factors as well. 
For example, a user may roam out of their local calling 
area and the secure nature of a mobile phone cannot 
be verified or a user may have a cold and not be able to 
use voiceprint. In these cases, trustworthiness of meth- 
ods and devices requesting access may still be relative- 
ly high but access to network resources is denied. 
[0006] Considering the trustworthiness of devices as- 
sociated with a user session is especially important 
when some access methods are predetermined as be- 
ing secure. During a request for access to network re- 
sources, a mobile user may present a user ID and a 
password. In some cases, DTMF tones may facilitate 
entry of these credentials. Conventional authentication 
methods may grant the same access to network re- 
sources whether these credentials are entered from a 
public pay phone or from a secure mobile phone. This 
may not grant appropriate access, as a secure mobile 
phone may be considered more trustworthy than a pub- 
lic pay phone. 

[0007] Therefore, what is desired are systems, meth- 
ods, and computer program products for granting or dy- 
namically modifying access to network resources in a 
manner that may correspond access to the trustworthi- 
ness of authentication methods and devices associated 
with a user session. 

BRIEF SUMMARY OF THE INVENTION 

[0008] The principles of the present invention provide 
for granting and dynamically modifying a user session's 
access to network resources, where access may corre- 
spond to the trustworthiness of authentication methods 
and devices associated with the user session. Charac- 
teristics associated with authentication methods are 
synthesized to create an authentication bundle that may 
include information representative of access to network 
resources. A security module may receive the authen- 
tication bundle and a user session may be granted ac- 
cess to the representative network resources based on 
the authentication bundle. 

[0009] A user session may attempt to authenticate to 
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a network using one or more authentication methods. 
When authentication is attempted, characteristics rep- 
resentative of authentication methods may be detected. 
Such characteristics may include a type of device asso- 
ciated with the authentication attempt, for example, a 5 
telephone, a computer, a mobile telephone, a personal 
digital assistant, or a hand-held computer. Characteris- 
tics associated with an authentication method may also 
include a type of authentication such as, password or 
biometric authentication. Such characteristics may also io 
include how a type of authentication was entered, for 
example, by using keys of a telephone keypad, keys of 
a conventional keyboard, spoken phrases, or finger- 
prints. Other characteristics may also be detected, such 
as whether a device is a known device and whether a 15 
device is a secure device. 

[0010] The characteristics may then be synthesized 
to facilitate generation of an authentication bundle rep- 
resentative of an appropriate extent of access to net- 
work resources. Synthesizing may include considera- 20 
tion of different characteristics of authentication meth- 
ods associated with a user session. Different combina- 
tions of characteristics may result in different access to 
network resources or the same access to network re- 
sources. For example, entering a DTMF PIN from a pa- 25 
yphone may result in less access to network resources 
than being voiceprinted. However, entering a DTMF PIN 
from a secure mobile phone may perhaps result in the 
same access to network resources as being voiceprint- 
ed. The amount of access to network resources granted 30 
to different authentication methods may be predefined. 
For example, a corporate information technology de- 
partment may wish to manage authentication methods 
by assigning different levels of access to different au- 
thentication methods. 35 
[0011 J A module may access an authentication bun- 
dle to facilitate granting a user session an appropriate 
extent of access to network resources. The extent of ac- 
cess granted depends on the representative information 
included in the authentication bundle. In one example, 40 
the module grants access by generating an authoriza- 
tion token identifying an extent of access to network re- 
sources. Thus, any given user may be granted a variety 
of different access permissions depending on how the 
user authenticated and from what device. Accordingly, 45 
for example, a user that authenticates from a less se- 
cure device via a less secure authentication method 
would typically be granted less access to network re- 
sources than if the user authenticated using a more se- 
cure authentication method from a more secure device. 50 
[001 2] The module may also consider whether an es- 
tablished user session has, during the course of the user 
session, implemented any additional authentication 
methods and/or transitioned to a more secure device. 
Thus, the module may dynamically grant additional ac- 55 
cess rights to a user session as circumstances warrant. 
Conversely., if for some reason during a user session, a 
previously successful authentication method were to 
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fail, or perhaps the user were to transition to a less se- 
cure device, the module may dynamically revoke exist- 
ing access rights from a user session. Granting and re- 
voking access may be facilitated by a reverse proxy or 
filter associated with the user session. When access 
rights are granted or revoked, a user associated with a 
user session may be so notified. 

[0013] By considering characteristics of authentica- 
tion methods, a user session may be granted appropri- 
ate access to network resources in a non-binary man- 
ner. That is, there is a sliding scale from which access 
to network resources may be given. Based on repre- 
sentative characteristics of authentication methods and 
devices available at any given moment, access to net- 
work resources may change. Thus, a user session may 
be granted access that more closely corresponds to the 
trustworthiness of authentication methods and devices 
associated with the user session. 
[0014] Additional features and advantages of the in- 
vention will be set forth in the description which follows, 
and in part will be obvious from the description, or may 
be learned by the practice of the invention. The features 
and advantages of the invention may be realized and 
obtained by means of the instruments and combinations 
particularly pointed out in the appended claims. These 
and other features of the present invention will become 
more fully apparent from the following description and 
appended claims, or may be learned by the practice of 
the invention as set forth hereinafter. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0015] In order to describe the manner in which the 
above-recited and other advantages and features of the 
invention can be obtained, a more particular description 
of the invention briefly described above will be rendered 
by reference to specific embodiments thereof which are 
illustrated in the appended drawings. Understanding 
that these drawings depict only typical embodiments of 
the invention and are not therefore to be considered to 
be limiting of its scope, the invention will be described 
and explained with additional specificity and detail 
through the use of the accompanying drawings in which: 
[0016] Figure 1 A illustrates an example mobile com- 
puting device that provides a suitable operating environ- 
ment for the present invention. 

[0017] Figure 1B illustrates an example network en- 
vironment that provides a suitable operating environ- 
ment for the present invention. 

[0018] Figure 2 is a flow diagram illustrating an exam- 
ple of a method for granting access to network resourc- 
es. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0019] The present invention extends to systems, 
methods, arid computer program products for granting 
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and dynamically modifying access to network resources 
where access may correspond to the trustworthiness of 
authentication methods and devices associated with a 
user session. A device may be engaged in a user ses- 
sion in which one or more authentication methods have s 
been used. Characteristics of the authentication meth- 
ods and devices may be accessed to create an authen- 
tication bundle that includes information representative 
of access to network resources. As authentication meth- 
ods associated with a user session change, a user ses- 10 
sion's access to network resources may be correspond- 
ingly modified. 

[0020] During operation, characteristics of authenti- 
cation methods and devices associated with a user ses- 
sion may be accessed. The accessed characteristics is 
may be synthesized to generate an authentication bun- 
dle. Since the authentication bundle is generated from 
characteristics of authentication methods and devices, 
the authentication bundle may include data representa- 
tive of an appropriate extent of access to network re- 20 
sources. This representative data may be based on the 
trustworthiness of the authentication methods and de- 
vices. An access granting module may access the au- 
thentication bundle and cause a user session to be 
granted the appropriate extent of access to the network 25 
resources represented in the authentication bundle. 
[0021] The embodiments of the present invention 
may comprise a special purpose or general purpose 
computing device including various computer hardware, 
as discussed in greater detail below. Embodiments with- 30 
in the scope of the present invention also include com- 
puter-readable media for carrying or having computer- 
executable instructions or data structures stored there- 
on. Such computer-readable media may be any availa- 
ble media, which is accessible by a general purpose or 35 
special purpose computer. By way of example, and not 
limitation, such computer-readable media can comprise 
physical storage media such as RAM, ROM, EPROM, 
CD-ROM or other optical disk storage, magnetic disk 
storage or other magnetic storage devices, or any other 40 
medium which can be used to carry or store desired pro- 
gram code means in the form of computer-executable 
instructions or data structures and which may be ac- 
cessed by a general purpose or special purpose com- 
puter. 45 
[0022] When information is transferred or provided 
over a network or another communications connection 
(either hardwired, wireless, or a combination of hard- 
wired or wireless) to a computer, the computer properly 
views the connection as a computer-readable medium, so 
Thus, any such connection is properly termed a compu- 
ter-readable medium. Combinations of the above 
should also be included within the scope of computer- 
readable media. Computer-executable instructions 
comprise, for example, instructions and data which ss 
cause a general-purpose computer, special-purpose 
computer, or special-purpose processing device to per- 
form a certain function or group of functions. 



[0023] Embodiments of the present invention may al- 
so operate in a networked environment using logical 
communication links, such as logical communication 
link 130 illustrated in Figure 1B, to one or more other 
computing devices. Computing devices may be a per- 
sonal computer, a mobile phone, a personal digital as- 
sistant ("PDA"), a server, a router, a network PC, a peer 
device or other common network node. These comput- 
ing devices may typically include a processing unit, a 
system memory, a system bus that couples various sys- 
tem components including the processing unit to the 
system memory, and any of the physical storage media 
discussed above. The system bus may be any of several 
types of bus structures including a memory bus or a 
memory controller, a peripheral bus, and a local bus us- 
ing any of a variety of bus architectures. The system 
memory may include read only memory (ROM) and ran- 
dom access memory (RAM). A basic input/output sys- 
tem (BIOS), containing the basic routines that help 
transfer information between elements within the com- 
puting device, such as during start-up, may be stored in 
ROM. 

[0024] The logical communication links depicted in 
Figure 1 B may include portions of a local area network 
("LAN") and/or a wide area network ("WAN") that are 
presented here by way of example but not limitation. 
Such networking environments are commonplace in of- 
fice-wide or enterprise-wide computer networks, such 
as intranets and the Internet. When used in a LAN net- 
working environment, a computing device may be con- 
nected to a local network through a network interface or 
adapter. 

[0025] When used in a WAN networking environment 
a computing device may include a modem, a wireless 
link, or other means for establishing communications 
over a wide area network, such as the Internet. The mo- 
dem, which may be internal or external, may be con- 
nected to a system bus via a serial port interface. In a 
networked environment, program modules or portions 
thereof, may be stored in a remote memory storage de- 
vice. It will be appreciated that the network connections 
shown in Figure 1B are exemplary and other means of 
establishing communications over a LAN or WAN may 
be used. 

[0026] Those skilled in the art will appreciate that the 
invention may be practiced in network computing envi- 
ronments with many types of computer system config- 
urations, including personal computers, hand-held de- 
vices, multi-processor systems, microprocessor-based 
or programmable consumer electronics, network PCs, 
minicomputers, mainframe computers, mobile tele- 
phones, PDAs, pagers, and the like. The invention may 
also be practiced in distributed computing environments 
where local and remote computing devices, which are 
linked (either by hardwired links, wireless links, or by a 
combination of hardwired or wireless links) through a 
communication network, both perform tasks. In a dis- 
tributed computing environment, program modules may 
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be located in both local and remote memory storage de- 
vices. 

[0027] Figure 1 A and the following discussion are in- 
tended to provide a brief, general description of a suit- 
able computing environment in which the invention may 
be implemented. Although not required, the invention 
will be described in the general context of computer-ex- 
ecutable instructions, such as program modules, being 
executed by computing devices. Generally, program 
modules include routines, programs, objects, compo- 
nents, data structures, and the like, which perform par- 
ticular tasks or implement particular abstract data types. 
Computer-executable instructions, associated data 
structures, and program modules represent examples 
of the program code means for executing steps of the 
methods disclosed herein. The particular sequences of 
such executable instructions or associated data struc- 
tures represent examples of corresponding acts for im- 
plementing the functions described in such steps. 
[0028] With reference to Figure 1 A, a suitable operat- 
ing environment for the principles of the invention in- 
cludes a general-purpose computing device in the form 
of a telephonic device 100. The telephonic device 100 
includes a user interface 1 01 for allowing a user to input 
information through an input user interface 103, and re- 
view information presented via an output user interface 
1 02. For example, the output user interface 1 02 includes 
a speaker 104 for presenting audio information to the 
user, as well as a display 105 for presenting visual in- 
formation to the user. The telephonic device 1 00 may 
also have an antenna 109 if the telephonic device 100 
has wireless capabilities. 

[0029] The input user interface 1 03 may include a mi- 
crophone 106 for rendering audio information into elec- 
tronic form. In addition, the input user interface 103 in- 
cludes dialing controls 107 represented by 12 buttons 

.5 through which a user may enter information. Input user 
interface 103 also includes navigation control buttons 

t 108 that assist the user in navigating through various 

* 1 entries and options listed on display 105. 
[0030] Although the user interface 101 has the ap- 
pearance of a mobile telephone, the unseen features of 
the user interface 1 01 may allow for complex and flexi- 
ble general-purpose processing capabilities. For exam- 
ple, the telephonic device 1 00 also includes a processor 

1 1 1 and a memory 1 1 2 that are connected to each other 
and to the user interface 1 01 via a bus 110. The memory 

112 generally represents a wide variety of volatile and/ 
or non-volatile memories and may include types of 
memory previously discussed. However, the particular 
type of memory used in the telephonic device 1 00 is not 
important to the present invention. 

[0031] Although a telephonic device is illustrated in 
Figure 1A, embodiments of the present invention may 
also be practiced with a personal computer. A personal 
computer may include any of the components discussed 
with respect to telephonic device 100. A personal com- 
puter may also be associated with an input user inter- 
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face in the form of a keyboard and/or mouse and an out- 
put user interface in the form of a display device. A per- 
sonal computer may be coupled to associated network 
systems via wireless technologies, hardwired technolo- 
5 gies, or combinations thereof. 

[0032] Program code means comprising one or more 
program modules may be stored in memory 112. The 
one or more program modules may include an operating 
system 113, one or more application programs 114, oth- 
10 er program modules 115, and program data 116. 

[0033] While Figure 1 A represents a suitable operat- 
ing environment forthe present invention, the principles 
of the present invention may be employed in any device 
that is capable, with suitable modification if necessary, 

is of implementing the principles of the present invention. 
The environment illustrated in Figure 1A is illustrative 
only and by no means represents even a small portion 
of the wide variety of environments in which the princi- 
ples of the present invention may be implemented. 

20 [0034] In this description and in the following claims, 
a "user session" is defined as a continued communica- 
tion relationship between two devices, which may in- 
volve the exchange of data between the two devices. 
This may include a lasting connection between two de- 

25 vices where resources are continually allocated to main- 
tain the connection or a connectionless relationship 
where resources are not continually allocated to main- 
tain a connection. An example of a connectionless rela- 
tionship may be a Short Message Service ("SMS") en- 

^0 vironment where messages are sent to a mobile device 
at intervals. 

[0035] In this description and in the following claims, 
a "mobile user session" is defined as a user session 
where at least one of the two devices included in a user 
35 session is a device external to the boundaries of a 
known network. For example, a mobile telephone at- 
tempting to access a corporate intranet via a public cel- 
lular telephone network. The type of device associated 
with a mobile user session may be a mobile computing 
40 device, such as telephonic device 100, a PDA, a pager, 
a hand-held device, a laptop computer,or other device 
typically associated with a mobile computing environ- 
ment. However, a mobile user session may also include 
a session initiated from a non-mobile device such as a 
45 standard personal computer, telephone, or other device, 
if the origination of the user session is logically or phys- 
ically outside the boundaries of a known network. For 
example, a public telephone attempting to access elec- 
tronic mail included in a corporate intranet via a Public 
50 Switched Telephone Network ("PSTN"). In contrast, a 
mobile telephone, or similar device, may not be associ- 
ated with a mobile user session if a user session origi- 
nates internal to the boundaries of a known network. For 
example, a PDA linked directly to a corporate intranet 
55 via a wireless network adapter. 

[0036] Telephonic device 100 may operate in a net- 
worked environment as shown in Figure 1 B. Illustrated 
in Figure 1 Bare computing devices including telephonic 



55 



5 



BNSDOCID:<EP 1301006A1 I > 



9 



EP 1 301 006 A1 



10 



device 100, PDA 101, and public telephone 102. Also 
illustrated, are lines between these computing devices 
and other functional components included in the net- 
worked environment. These lines represent logical com- 
munication paths. Logical communication paths, such 
as logical communication path 130, may comprise a va- 
riety of network types, protocols, communication meth- 
ods, or combinations thereof. For example, a logical 
communication path may include portions of a LAN or a 
WAN. 

[0037] In this description, reference may be made to 
the computing devices illustrated in Figure 1 B. However, 
the present invention is not limited to the illustrated com- 
puting devices. It would be apparent to one skilled in the 
art, after having reviewed this description, that a wide 
variety computer system configurations, including those 
previously discussed, may be used to implement the 
principles of the present invention. 
[0038] Logical communication paths may also include 
other program modules (not shown) that condition or for- 
mat portions of data so as to make them accessible to 
the illustrated computing devices and functional compo- 
nents. It may also be that the physical communication 
medium associated with a logical communication path 
changes during operation, for example, when a comput- 
ing device or functional component is included in a Vir- 
tual Private Network ("VPN"). In these embodiments, 
data packets may be transferred through the use of vir- 
tual connections that have no real physical presence. 
While data packets are delivered to the correct destina- 
tion in sequence, the data packets may be routed 
through various machines in an ad hoc manner. That is, 
no physical lines are dedicated to the connection. 
[0039] Logical communication paths may include por- 
tions of a cellular or digital network used by telephonic 
device 1 00 for voice communication. Logical communi- 
° cation paths may also include portions of telephone net- 
works used by public telephone 102 for voice commu- 
nication. Telephone networks used by public telephone 
102 may include portions of a PSTN, as well as portions 
of more modern telephone networks based on digital 
technologies, such as Integrated Services Digital Net- 
work ("ISDN") and Fiber Distributed Data Interface ("FD- 
Dl"). 

[0040] Logical communication paths may also include 
portions of the Internet or other proprietary networks 
general accessible to the computing devices and func- 
tional components illustrate in Figure 1B. Logical com- 
munication paths may also include combinations of any 
of the previously described networks. 
[0041] Telephone device 100 may communicate with 
public networks 140 over logical communication path 
130, which may be a wireless communication link. Pub- 
lic networks 140 may include the cellular or digital net- 
works used by telephonic devices for voice communica- 
tions, the Internet, Public Service Telephone Networks, 
modern telephone networks as previously described, 
other proprietary networks that are generally accessible 



to the computing devices in Figure 1 B, or any combina- 
tion thereof. 

[0042] Public networks 140 may be connected to 
computing device 145 via logical communication path 
5 133. Computing device 145 is illustrated as separate 
from public networks 1 40 to aid in clarifying operation of 
the present invention. However, the present invention is 
not limited to this embodiment. It would be apparent to 
one skilled in the art, after having reviewed this descrip- 

10 tion, that computing device 1 45 may be included in pub- 
lic networks 140, as well as other networks, when im- 
plementing the principles of the present invention. 
[0043] Also illustrated in Figure 1 B is logical security 
boundary 1 50. Logical security boundary 1 50 is a logical 

15 representation of a boundary between public networks 
140 and computing device 145. A boundary such as this 
may exist between a PSTN and a cellular or digital car- 
rier network. It should be understood that logical security 
boundary 150 is merely a logical boundary. For exam- 

20 pie, in an embodiment including a VPN, communication 
may take place over any of the computing devices, func- 
tional components, or logical communication links in 
Figure 1B, including those in public networks 140. 
[0044] A physical representation of logical security 

25 boundary 1 50 may include devices or systems designed 
to prevent unauthorized access to computing device 
1 45. This physical representation may include a firewall, 
a packet filter, an application gateway, a circuit level 
gateway, a proxy server, other mechanisms used to pro- 

30 tect a private network, or any combinations thereof. 
Physical representations of logical security boundary 
150 may be implemented in hardware, software, or com- 
binations thereof. 

[0045] Computing device 145 may be connected to 

35 network resources 120 via logical communication path 
134. Similar to the above discussion, embodiments of 
the present invention may exist where computing device 
145 is included in network resources 120. It may also 
be that portions of network resources 120 are included 

40 jn public networks 140. 

[0046] Also illustrated in Figure 1B is logical security 
boundary 1 60. Logical security boundary 1 60 is a logical 
representation of a boundary between computing de- 
vice 145 and network resources 120. A boundary such 

45 as this may exist between a cellular or digital carrier net- 
work and a corporate enterprise network. It should be 
understood that logical security boundary 1 60 is merely 
a logical boundary. For example, in an embodiment in- 
cluding a VPN, essentially secure communication may 

so take place over any of the computing devices, functional 
components, or logical communication links in Figure 
1B S including those in public networks 140 and network 
resources 120. A physical representation of logical se- 
curity boundary 1 60 may include any of the physical rep- 

55 resentations discussed in relation to logical security 
boundary 150. 

[0047] Shown in Figure 2 is a flow diagram illustrating 
a method for granting access to network resources. The 
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method in Figure 2 will be discussed with reference to 
the computing devices and functional components in- 
cluded in Figure 1B. 

[0048] Illustrated in Figure 2 is security module 210 
and access granting module 220 performing acts. Se- 
curity module 21 0 and access granting module 220 are 
separated by logical boundary 205. Security module 
21 0 may be similar to security module 1 46 shown in Fig- 
ure 1B. Access granting module 220 may be included 
in network resources 120. In one embodiment, security 
module 210 may be included as part of a digital or cel- 
lular carrier network and access granting module 220 
may be included as part of a corporate enterprise net- 
work. In this embodiment, it may be that logical bound- 
ary 205 is similar to logical boundary 160. However, the 
present invention is not limited to the illustrated arrange- 
ment of computing devices and functional components. 
It would be apparent to one skilled in the art, after having 
reviewed this description, that a wide variety of different 
computing device and functional component arrange- 
ments, including those previously discussed, may be 
used to implement the principles of the present inven- 
tion. 

[0049] The method in Figure 2 may include an act of 
accessing characteristics of one or more authentication 
methods associated with a mobile user session (act 
201 ). In one embodiment, act 201 may be performed by 
security module 21 0 included in a digital carrier network. 
In another embodiment, computing device 145 may ac- 
cess characteristics of authentication methods used by 
telephonic device 101. These characteristics may be as- 
sociated with a mobile user session requesting access 
to network resources 120. Characteristics of an authen- 
tication method may include a type of authentication 
method and a type of device associated with an authen- 
tication method. 

* [0050] Characteristics of authentication methods that 
may be accessed in act 201 include varied types of 
passwords, varied types of biometric data, device iden- 

~ tification numbers, caller line identification data, and en- 
vironmental data, such as the time of day. 
[0051] Passwords include a series of characters that, 
when received, may enable a user session to access 
network resources. Passwords may be simple or com- 
plex and may be input in different manners. A simple 
password may not be restricted by any set of rules that 
define how a password may be constructed. On the oth- 
er hand, a complex password may be associated with 
such rules. For example, a complex password may be 
required to be at least a certain number of characters in 
length, may be required to include both upper and lower 
case characters, or may be required to include charac- 
ters from different categories, such as English letters, 
Arabic numerals, or non-alpha numeric characters. 
When a password includes solely numeric digits, such 
as Arabic numerals, the password may be termed a Per- 
sonal Identification Number ("PIN"). 
[0052] Passwords may be input from a keyboard as- 



sociated with a computing device, in which case de- 
pressing one or more keys on the keyboard generates 
the password. All portions of the password may then be 
sent simultaneously when a transmit key is depressed. 

s [0053] Passwords may also be input from a keypad 
associated with a telephonic device, such as dialing 
controls 107 or a keypad included in public telephone 
102. Entering passwords from a keypad may be facili- 
tated by the use of dual tone multi-frequency ("DTMF") 

10 techniques. DTMF assigns a specific frequency, ortone, 
to each key on a touchtone keypad so that a key may 
be easily identified by a microprocessor. When pass- 
words are entered using DTMF, data is transmitted each 
time a key is pressed. Entering numeric digits via DTMF 

'5 tones may be termed as entering a DTMF PIN. 

[0054] A password or PIN may also include spoken 
phrases. For example, when attempting to access net- 
work resources 120 via a mobile user session, a user 
make speak phrases into microphone 106. These 
20 phrases may be transmitted to computing device 145 
for verification. Spoken phrases may be input in re- 
sponse to a challenge issued from a module, such as 
security module 146. 

[0055] In addition to recognizing that a phrase was 

25 spoken, some authentication methods may access 
physical characteristics of the speech, such as tone or 
pitch. A computer may analyze these physical charac- 
teristics to determine if a spoken phrase has physical 
characteristics similar to an existing "voiceprint." Voice- 

30 printing is a type of biometric authentication technique. 
Biometric authentication techniques are often tech- 
niques relying on measurable physical data that may be 
automatically checked. The data associated with a bio- 
metric authentication technique may be termed biomet- 

35 ric data. Examples of other biometric authentication 
techniques include computer analysis of fingerprints 
and retinal scans. It should be understood that these are 
only examples of biometric authorization techniques. It 
would be obvious to those skilled in the art, after having 

40 reviewed this description, that the principles of the 
present invention may be practiced with virtually any 
technique that uses measurable physical data to facili- 
tate authentication. 

[0056] In performing act 201, characteristics of un- 
45 known, known, or secure devices may be accessed. An 
unknown device may be a device that has not previously 
been used to access network resources. For example, 
if PDA 101 had never before attempted to access net- 
work resources 120, security module 146 may deter- 
50 mine that PDA 101 is an unknown device. Computing 
device 1 45 may also include a list or database of known 
devices. If public telephone 102 attempted to access 
network resources 120 and was not included in the list, 
public telephone 1 02 may be designated as an unknown 
55 device. Conversely, if public telephone 102 was includ- 
ed in the list, it may be designated as a known device. 
[0057] A list or database including known devices 
may be configured in a variety of formats. For example, 
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a list may include computer network addresses associ- 
ated with computing devices or may include physical de- 
vice identifiers, such as those burned into secure mobile 
telephones. A list may also include telephone numbers, 
in which case devices attempting to access network re- 
sources may be identified by caller identification data. It 
should be understood that these are only examples of 
lists that may facilitate identification of a device. It would 
be obvious to those skilled in the art, after having re- 
viewed this description, that the principles of the present 
invention may practiced with virtually any list that in- 
cludes data used to facilitated identification of device. 
[0058] Devices may be designated as secure if they 
are associated with some level of trustworthiness. The 
trustworthiness of a device may be determined based 
on the location of the device. For example, a telephone 
inside a corporate office may be deemed secure. On the 
other hand, a public telephone 102, even if it is a known 
device, may not be deemed secure due to its location 
in a public place. 

[0059] In addition to the location of a device, a device 
may be deemed secure based on the device's charac- 
teristics. For example, some computing devices have 
identification numbers hard-coded into components. 
These identification numbers may be associated with a 
user session or may be characteristics of an authenti- 
cation method used by the computing device. Since 
identification numbers are hard-coded there may be a 
level of trustworthiness associated with computing de- 
vices including such numbers. This level of trustworthi- 
ness may be enough to deem such a computing device 
as a secure device. 

[0060] Other characteristics that may be considered 
when determining a secure device include versions of 
an operating system, versions of firmware, the type of 
device, or the system resources currently available. It 
* should be understood that these are only examples of 
characteristics that may facilitate a determination on the 
trustworthiness of a device. It would be obvious to those 
skilled in the art, after having reviewed this description, 
that determining a device is a secure device may be per- 
formed by considering virtually any physical character- 
istics associated with a device. 

[0061] Accessed characteristics may also include a 
device type of a specific configuration. For example, 
computing device 145 may be able to detect that a de- 
vice attempting to authenticate is a telephone, a com- 
puter, a mobile telephone, etc. Combinations of device 
types may also occur. For example, a device might be 
designated as a secure PDA, a known public telephone, 
or an unknown mobile telephone. 
[0062] Other characteristics of an authentication 
method may also be accessed. For example, environ- 
mental information, such as whether or not a mobile tel- 
ephone is in a roaming configuration. Chronological in- 
formation may also be accessed, such as, the time of 
day, day of week, or when a user associated with a user 
session last accessed network resources. For example, 



if a user attempts to access network resources from a 
known device that recently went through a rigorous au- 
thentication process, granting access to additional re- 
sources may require little if any additional authentica- 
5 tion. However, an unknown device may require signifi- 
cant additional authentication to be granted access to 
the same resources. 

[0063] If a device has multiple communication chan- 
nels, the communication channel associated with an au- 
10 thentication may be accessed. For example, when a 
mobile phone or PDA transmits a PIN over an out of 
band communication channel. 

[0064] The method may also include an act of gener- 
ating an authentication bundle representative of an ex- 
's tent of access to network resources by synthesizing the 
accessed characteristics (act 202). Synthesizing char- 
acteristics may be termed as combining accessed char- 
acteristics so as to form a new, more complex, authen- 
tication bundle. An authentication bundle may include 
20 data representative of the extent of access a requesting 
user session may be given. For example, synthesizing 
accessed characteristics of a password, and/or of bio- 
metric data, and/or of a device may generate an authen- 
tication bundle. Synthesizing characteristics in different 
25 variations may result in different authentication bundles. 
[0065] In one embodiment, security module 146 may 
accumulate accessed characteristics to facilitate gener- 
ation of an authentication bundle. This may occur when 
security module 146 is generating an authentication 
30 bundle for a user session associated with telephonic de- 
vice 1 00. Accessed characteristics may not arrive simul- 
taneously at security module 1 46. For example, security 
module 1 46 may access characteristics of a device type 
associated with telephonic device 1 00 before accessing 
35 characteristics of a voiceprint associated with telephon- 
ic device 100. 

[0066] Other characteristics may be synthesized 
when generating an authentication bundle, for example, 
amounts of available resources associated with a user 

40 session, such as memory, disk space, or bandwidth 
available to a user session. In some configurations, a 
device associated with a user session may not be well 
suited for access to network resources. A device may 
be low on memory or disk resources, a device may be 

45 in a roaming configuration that hampers reliable com- 
munication, or a data transmission rate may be below a 
predetermined threshold. It should be understood that 
these are only examples of characteristics that may be 
synthesized. It would be obvious to those skilled in the 

50 art, after having reviewed this description, that the prin- 
ciples of the present invention may be practiced with vir- 
tually any physical characteristics associated with a de- 
vice. 

[0067] Synthesizing accessed characteristics in var- 
55 ied combinations may create a sliding scale for assign- 
ing access to network resources based on the trustwor- 
thiness of devices and authentication methods. For ex- 
ample, a user session authenticating with a DTMF PIN 
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from a secure mobile phone may be given more access 
to network resources 120 than a user session authenti- 
cation with a DTMF PIN from public telephone 102. 
[0068] The method in Figure 2 may include accessing 
an authentication bundle that was generated by synthe- 5 
sizing characteristics of one or more authentication 
methods (act 203). As illustrated in Figure 2, this may 
include transferring performance of the included acts 
from security module 210 to access granting module 
220. This is illustrative of an embodiment where a digital 10 
or cellular carrier may pass an authentication bundle to 
a corporate enterprise network. In this embodiment, log- 
ical boundary 205 may perform security operations on 
data passed between security module 210 and access 
granting module 220. 15 
[0069] This is only an example of how an authentica- 
tion bundle may be accessed. It may be that security 
module 21 0 and access granting module 220 are includ- 
ed in the same network or device, such as computing 
device 145. It would be obvious to those skilled in the 20 
art, after having reviewed this description, that the prin- 
ciples of the present invention may be practiced when 
a module accesses an authentication bundle from virtu- 
ally any location. 

[0070] The method in Figure 2 may include granting 25 
access to network resources wherein the extent of ac- 
cess may differ depending on the characteristics (act 
204). Access granting module 220, which may be in- 
cluded in security module 1 46, may grant a user session 
access to the network resources represented in the au- 30 
thentication bundle. In one embodiment, receiving an 
authentication bundle may result in generation of an au- 
thorization token that is associated with a level of access 
to network resources. An authorization token may in- 
clude data representative of the authentication methods 35 
employed by a user session. 

[0071] In one embodiment, a user session may be 
granted less than a maximum level of access associated 
with a user. For example, a user may be associated with 
- a level of access to network resources when authenti- 40 
eating from a connection included in a secure portion of 
a corporate intranet. However, when authenticating 
from a mobile phone, the user is not given the same level 
of access to network resources. This may be due to the 
reduced trustworthiness of using a mobile telephone or 45 
to the lack of secure authentication methods associated 
with the mobile phone. For example, perhaps the mobile 
phone is secure but voiceprinting is not supported. 
[0072] In one embodiment, a module associated with 
logical security boundary 1 50 or logical security bound- 50 
ary 1 60, such as a firewall or other security mechanism 
previously described, may facilitate granting access to 
network resources. A filter or reverse proxy may be used 
to grant a user session less than a maximum level of 
access associated with a user. In these embodiments, 55 
an authentication bundle or authorization token may be 
passed to the filter or reverse proxy to facilitate granting 
this reduced access to a user session. 



[0073] In one embodiment, access to network re- 
sources may be dynamically modified. During the 
course of a user session, authentication methods may 
become available or unavailable to the user session. 
This may be the result of environmental factors, the con- 
figuration of a device, or the physical condition of a user. 
For example, a mobile phone that initially authenticated 
by a DTMF PIN may later be prompted for a complex 
voice challenge when the user session attempts to ac- 
cess sensitive corporate data. Conversely, a user ses- 
sion initially authenticated using voiceprint may have ac- 
cess to network resources revoked, if the condition of a 
voice connection deteriorates during the session. In 
such cases, a new authentication bundle may be syn- 
thesized from accessed characteristics in existence at 
a certain time. 

[0074] By granting access to network resources 
based on the trustworthiness of authentication methods 
and devices, a sliding scale of access may be utilized. 
User sessions may be granted different access to net- 
work resources when logging in from different locations 
using different authentication methods. As a result, a 
single user accou nt may be used to facilitate appropriate 
access to network resources for a user in any location. 
Additionally, since access is dynamically adjustable 
there is an increased chance the user will always have 
an appropriate level of access to network resources. 
[0075] The present invention may be embodied in oth- 
er specific forms without departing from its spirit or es- 
sential characteristics. The described embodiments are 
to be considered in all respects only as illustrative and 
not restrictive. The scope of the invention is, therefore, 
indicated by the appended claims rather than by the 
foregoing description. All changes, which come within 
the meaning and range of equivalency of the claims, are 
to be embraced within their scope. 



Claims 

1 . A method of generating an authentication bundle for 
granting a mobile user session access to network 
resources depending on at least one authentication 
method and a security of at least one device asso- 
ciated with the mobile user session so as to grant 
access that corresponds to the trustworthiness of 
the associated authentication methods and devic- 
es, the method for use in a computing device includ- 
ing a security module that may grant a user session 
access to network resources, the method compris- 
ing: 

accessing characteristics of at least one au- 
thentication method associated with the mobile 
user session; and 

generating an authentication bundle represent- 
ative of access to network resources by synthe- 
sizing the accessed characteristics, wherein 
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ed with at least one of the authentication methods 
comprises at least one of: 

accessing characteristics a personal computer 
5 associated with at least one of the authentica- 

tion methods; and 

accessing characteristics of a mobile comput- 
ing device associated with at least one of the 
authentication methods. 

10 

7. The method as recited in claim 6, wherein access- 
ing characteristics of a mobile computing device as- 
sociated with at least one of the authentication 
methods comprises at least one of: 

15 

accessing characteristics of a mobile telephone 
associated with at least one of the authentica- 
tion methods; 

accessing characteristics of a personal digital 
20 assistant associated with at least one of the au- 

thentication methods; and 
accessing characteristics of a hand-held com- 
puter associated with at least one of the authen- 
tication methods. 

25 

8. The method as recited in claim 2, wherein access- 
ing characteristics of a password associated with at 
least one authentication method comprises at least 
one of: 

30 

accessing characteristics of a personal identi- 
fication number including dual tone multi-fre- 
quency tones associated with at least one of 
the authentication methods; 
35 accessing characteristics of a personal identi- 

fication number that includes spoken phrases 
associated with at least one of the authentica- 
tion methods; and 

accessing characteristics of a password that 
*o was transmitted from a mobile computing de- 

vice out of band, the password being associat- 
ed with at least one of the authentication meth- 
ods. 



the authentication bundle may be used to grant 
the mobile user session access to network re- 
sources. 

2. The method as recited in claim 1 , wherein access- 
ing characteristics of at least one authentication 
method associated with the mobile user session 
comprises at least one of: 

accessing characteristics of at least one au- 
thentication method representative of the mo- 
bile user session; 

accessing characteristics of a device associat- 
ed with at least one authentication method; 
accessing characteristics of a password asso- 
ciated with at least one authentication method; 
and 

accessing characteristics of biometric data as- 
sociated with at least one authentication meth- 
od. 

3. The method as recited in claim 2, wherein the ac- 
cessing of characteristics of a device associated 
with at least one authentication method comprises 
at least one of: 

accessing characteristics of a telephone asso- 
ciated with at least one of the authentication 
methods; 

accessing characteristics of an unknown de- 
vice associated with at least one of the authen- 
tication methods; 

accessing characteristics of a secure device 
associated with at least one of the authentica- 
tion methods; and 

accessing characteristics of a computing de- 
vice associated with at least one of the authen- 
tication methods. 

4. The method as recited in claim 2, wherein access- 
ing characteristics representative of a device asso- 
ciated with at least one authentication method com- 
prises: 

accessing characteristics of an known device 
associated with at least one of the authentica- 
tion methods. 



45 9. The method as recited in claim 2, wherein access- 
ing characteristics of biometric data associated with 
at least one authentication method comprises at 
least one of: 

accessing characteristics of a voiceprint asso- 
ciated with at least one authentication method; 
accessing characteristics of a fingerprint asso- 
ciated with at least one authentication method; 
and 

accessing characteristics of a retinal scan as- 
sociated with at least one authentication meth- 
od. 



5. The method as recited in claim 4, wherein access- 
ing characteristics of a known device associated 50 
with at least one of the authentication methods com- 
prises: 

accessing caller line identification data associ- 
ated with a device. ss 

6. The method as recited in claim 5, wherein access- 
ing characteristics of a computing device associat- 
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10. The method as recited in claim 1 , wherein generat- 
ing an authentication bundle representative of ac- 
cess to network resources by synthesizing the ac- 
cessed characteristics comprises at least one of: 

generating an authentication bundle represent- 
ative of access to network resources by synthe- 
sizing accessed characteristics associated with 
a device and accessed characteristics associ- 
ated with a password; 

generating an authentication bundle represent- 
ative of access to network resources by synthe- 
sizing accessed characteristics associated with 
a device and accessed characteristics associ- 
ated with biometric data; 
generating an authentication bundle represent- 
ative of access to network resources by synthe- 
sizing accessed characteristics associated with 
a password and accessed characteristics as- 
sociated with biometric data; 
generating an authentication bundle represent- 
ative of access to network resources by synthe- 
sizing accessed characteristics associated with 
a device, accessed characteristics associated 
with a password and accessed characteristics 
associated with biometric data; and 
generating an authentication bundle represent- 
ative of access to network resources by synthe- 
sizing characteristics associated with the time 
at which at least one authentication method 
was executed. 

1 1 . A method for granting a mobile user session access 
to network resources depending on at least one au- 
thentication method and a security of at least one 
device associated with the mobile user session so 
as to grant access that corresponds to the trustwor- 
thiness of the associated authentication methods 
and devices, the method for use in a computing de- 
vice including an access granting module that may 
grant a user session access to network resources, 
the method comprising: 

accessing an authentication bundle, the au- 
thentication bundle having been generated by 
synthesizing characteristics of at least one au- 
thentication method associated with the mobile 
user session; and 

granting access to network resources, wherein 
the extent of access may differ depending on 
the characteristics. 

12. The method as recited in claim 11 , wherein access- 
ing an authentication bundle comprises at least one 
of: 

the access granting module accessing an au- 
thentication bundle; 



accessing an authentication bundle which 
causes the mobile user session to be granted 
access to the network resources represented 
by the authentication bundle; 
s accessing an authentication bundle which 

causes generation of an authorization token as- 
sociated with a level of access to network re- 
sources; and 

accessing an authentication bundle which 
10 causes generation of an authorization token 

that includes data representative of at least one 
authentication method associated with the mo- 
bile user session. 

is 13. The method as recited in claim 12, wherein granting 
access to network resources comprises at least one 
of: 

granting a mobile user session less than the 
20 maximum level of access associated with a us- 

er; and 

modifying a mobile user session's existing ac- 
cess to network resources, the modified access 
being different than the existing access. 

25 

14. The method as recited in claim 1 3, wherein granting 
a mobile user session less than the maximum level 
of access associated with a user comprises at least 
one of: 

30 

receiving an authentication bundle, which 
causes a filter to reduce the mobile user ses- 
sion's access to network resources to less than 
the maximum level of access associated with a 
35 user; and 

receiving an authentication bundle, which 
causes a reverse proxy to reduce the mobile 
user session's access to network resources to 
less than the maximum level of access associ- 
40 ated with a user. 

15. The method as recited in claim 13 wherein modify- 
ing a mobile user session's existing access to net- 
work resources, the modified access being different 

45 than the existing access, comprises at least one of: 

modifying a mobile user session's existing ac- 
cess to network resources by granting access 
to network resources in addition to the existing 
so access; and 

modifying a mobile user session's access to 
network resources by revoking some of the ex- 
isting access to network resource. 

55 16. The method as recited in claim 11 , further compris- 
ing: 

notifying a user associated with the mobile user 
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session what network resources the mobile us- 
er session may access. 

17. A computer program product comprising: 

5 

a computer-readable medium carrying compu- 
ter-executable instructions, that when execut- 
ed at a computing device, cause the computing 
device to perform all the steps of the method 
according to any one of claims 1 to 1 6. 10 

18. The computer program product as recited in claim 
17, wherein the computer-readable medium is a 
physical storage media. 
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